Enterprise Applikation Integration und Service-orientierte Architekturen. 10 Webservices Addons

Transcription

1 Enterprise Applikation Integration und Service-orientierte Architekturen 10 Webservices Addons

2 Überblick über die Spezifikationen [ ] Prof. Dr. Holger Wache 2

3 List of Standards [ ] Prof. Dr. Holger Wache 3

4 Basic Standards Prof. Dr. Holger Wache [ ] 4

5 Useful Standards Prof. Dr. Holger Wache [ ] 5

6 Business Standards Prof. Dr. Holger Wache [ ] 6

7 Example: Security: Basic Components Identification For service requestor to acces a secure service provider it must first provide information that expresses its origin or owner. This is referred to as making a claim Authentiaction A message being delivered to a receipient must prove that the message is in fact from the sender that it claims Authorization Once authenticated, the receipient of a message may need to determine what the requestor is alowed to do Singe sign on It is supported by SAML,.NET Passport and XACML Confidentiality and Integrity Confidentiality is concerned with protecting the privacy of the message content, Integrity ensures that the message has not been altered Transport level and Message level security Transport level securiy is provided by SSL (securing HTTP), message level confidentiality and integrity are provied by XML-Encryption and XML-Signature. Prof. Dr. Holger Wache 7

8 TLS/SSL ist NICHT sicher Prof. Dr. Holger Wache 8

9 WS-Security Standard von Microsoft, IBM, Verisign Erweitert SOAP bindet verschieden Sicherheitstechnologien in einem Paket zusammen Rahmenwerk; erweiterbar Prof. Dr. Holger Wache 9

10 WS-Security: Das Basispaket Sicherheit auf Nachrichtenebene Teilweise Verschlüsselung definiert, wie selbst einzelne Elemente signiert und verschlüsselt werden sollen baut auf XML-Signature, XML-Encryption auf (kein neuer Standard, sondern bündelt diese) Prof. Dr. Holger Wache 10

11 WS-Policy Formulierung von Sicherheitsanforderungen und Richtlinen Beispiel: Transportprotokoll, Verfahren zur Authentifizierung Prof. Dr. Holger Wache 11

12 WS-Policy Information Model Assertion 1 Assertion 2 (01) <wsp:policy> (02) <wsp:exactlyone> (03) <wsp:all> (04) <sp:signedparts> (05) <sp:body/> (06) </sp:signedparts> (07) </wsp:all> (08) <wsp:all> (09) <sp:encryptedparts> (10) <sp:body/> (11) </sp:encryptedparts> (12) </wsp:all> (13) </wsp:exactlyone> (14) </wsp:policy> Alternative 1 Alternative 2 Prof. Dr. Holger Wache 12

13 WS-Trust Unterstützt initialen Austausch von sicherheitsrelevanten und geheimen Daten Probleme: Format Vertrauensbeziehung (Verifizierbare Kette zur Übermittlung der vertraulichen Daten) Namensräume (semantische Heterogenitäten) Beispiel: Schlüssel Prof. Dr. Holger Wache 13

14 WS-SecureConversation Austausch mehrerer Nachrichten in einem definierten Sicherheitskontext gegenseitige Authentifizierung Prof. Dr. Holger Wache 14

15 WS-Privacy, WS Federation, WS-Authorization WS-Privacy: Wünsche und Forderungen zur Vertraulichkeit der Daten (keine Weitergabe an Dritte) WS Federation: Etablierung von Vertrauensdomänen über Unternehmensgrenzen hinweg verwendet WS-Policy, WS-Trust und WS-SecureConversation WS-Authorization: Zugriffskontrolle im Web-Service Umfeld Prof. Dr. Holger Wache 15

16 WS-* security standards implementations Microsoft.NET Framework 2.0 / WSE3.0 WS-Security (OASIS 2004 standard), WS-Policy, WS-SecurityPolicy, WS- Trust, WS-SecureConversation and WS-Addressing SUN Web Services Interoperability Technology (WSIT) IBM WebSphere Open Software: The Apache Software Foundation Web Services Project ( Prof. Dr. Holger Wache 16

17 Web Services Interoperability Technologies (WSIT) Ensure interoperability of web services enterprise technologies such as message optimization, reliable messaging, security, and includes a bootstrapping and configuration technology WSIT is an implementation of a number of open web services specifications to support enterprise features Developed by Sun working closely with Microsoft Prof. Dr. Holger Wache [ ] 17

18 Overview of WSIT Prof. Dr. Holger Wache 18 [ ]

19 Bootstrapping and Configuration 1. Client acquires the URL for a web service that it wants to access and consume. 2. The client uses the URL and the wsimport tool to send a MetadataExchangeRequest to access the web service and retrieve the WSDL file. The WSDL file may include WS-Policy assertions that describe the security and/or reliability capabilities and requirements of the service. 3. The client uses the WSDL file to create the web service client. 4. The web service client accesses and consumes the web service. Prof. Dr. Holger Wache [ ] 19

20 Implemented Standards Prof. Dr. Holger Wache [ ] 20

21 Message Optimisation Message optimization ensures that web services messages are transmitted over the Internet in the most efficient manner. Because XML is a textual format, binary files must be represented using character sequences before they can be embedded in an XML document. The encoding and decoding process of the binary files is expensive and the costs increase linearly as the size of the binary object increases. Prof. Dr. Holger Wache [ ] 21

22 Message Optimisation Message optimization enables web service endpoints to identify large binary message payloads, remove the message payloads from the body of the SOAP message, encode the message payloads using an efficient encoding mechanism (effectively reducing the size of the payloads), re-insert the message payloads into the SOAP message as attachments (the file is linked to the SOAP message body by means of an Include tag). Prof. Dr. Holger Wache [ ] 22

23 Message Optimisation SOAP MTOM, paired with the XML-binary Optimized Packaging (XOP), addresses the inefficiencies related to the transmission of binary data in SOAP documents. Using MTOM and XOP, XML messages are dissected in order to transmit binary files as MIME attachments in a way that is transparent to the application. Thus, the WSIT technology achieves message optimization through an implementation of the MTOM and XOP specifications. Sun recommend to use this technology for binary data bigger than 1 kb! Prof. Dr. Holger Wache [ ] 23

24 Implemented Standards Prof. Dr. Holger Wache 24 [ ]

25 Reliable Messaging Each message is delivered to the destination application at least once. Each message is delivered to the destination application at most once. Sequences of messages are grouped by sequence identifiers and delivered to the destination application in the order defined by the message numbers. Prof. Dr. Holger Wache [ ] 25

26 Implemented Standards Prof. Dr. Holger Wache [ ] 26

27 Secure Messaging Consists of three parts: Security Policy Exchange Trust and Secure Conversation Secure Conversation Prof. Dr. Holger Wache [ ] 27

28 Security Policy Exchange The security policy model uses the policy specified in the WSDL file for associating policy assertions with web service communication. Following types of assertions are supported: Protection assertions: Conditional assertions: Security binding assertions: Supporting token assertions: Web Services Security and Trust assertions: Prof. Dr. Holger Wache [ ] 28

29 Trust and Secure Conversation 1. The client establishes an HTTPS connection with the Secure Token Service using one of the following methods: 1. Username Authentication and Transport Security: The client authenticates to the Security Token Service using a username token. The Security Token Service uses a certificate to authenticate to the Client. Transport security is used for message protection. 2. Mutual Authentication: Both the client-side and server-side use X509 certificates to authenticate to each other. The client request is signed using Client s X509 certificate, then signed using ephemeral key. The web service signs the response using keys derived from the client s key. 2. The client sends a RequestSecurityToken message to the Security Token Service. 3. The Security Token Service sends a Security Assertion Markup Language (SAML) token to the Client. 4. The client uses the SAML token to authenticate itself to the web service and trust is established. Prof. Dr. Holger Wache [ ] 29

30 Secure Conversation The client sends a X509 Certificate to authenticate itself to the web service. The web service sends a X509 Certificate to authenticate itself to the client. Prof. Dr. Holger Wache [ ] 30

31 Implemented Standards Prof. Dr. Holger Wache [ ] 31